CN113507374B - Threshold signature method, device, equipment and storage medium - Google Patents

Threshold signature method, device, equipment and storage medium Download PDF

Info

Publication number
CN113507374B
CN113507374B CN202110748702.8A CN202110748702A CN113507374B CN 113507374 B CN113507374 B CN 113507374B CN 202110748702 A CN202110748702 A CN 202110748702A CN 113507374 B CN113507374 B CN 113507374B
Authority
CN
China
Prior art keywords
secret
participant
signature
commitment
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110748702.8A
Other languages
Chinese (zh)
Other versions
CN113507374A (en
Inventor
童世红
柳宇航
胡慧潘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hundsun Technologies Inc
Original Assignee
Hundsun Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hundsun Technologies Inc filed Critical Hundsun Technologies Inc
Priority to CN202110748702.8A priority Critical patent/CN113507374B/en
Publication of CN113507374A publication Critical patent/CN113507374A/en
Application granted granted Critical
Publication of CN113507374B publication Critical patent/CN113507374B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Abstract

The invention provides a threshold signature method, a device, equipment and a storage medium based on SM2 signature algorithm, wherein in the sharing link of secret inverse elements, a homomorphic encryption public key of an opposite side is used for encrypting temporary secrets, ciphertext and interference factors by a homomorphic encryption method to obtain first encrypted data, when the opposite side verifies that zero knowledge proves to be legal, a homomorphic encryption private key of the opposite side is used for decrypting first encrypted data to obtain first interactive secrets, after a basic value of the shared secrets is calculated, the basic value of the shared secrets of each participant is used for calculating to obtain the inverse elements of the shared secrets; it can be seen that: the homomorphic encryption method is adopted to complete the inverse element of the shared secret, and the order doubling of a polynomial does not exist, so that in the (t, n) threshold, only the participant n of the threshold signature method based on the SM2 signature algorithm needs to be more than or equal to the participant t participating in the signature, and an effective digital signature can be generated without 2t +1 participants.

Description

Threshold signature method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of data processing, in particular to a threshold signature method, a device, equipment and a storage medium based on an SM2 signature algorithm.
Background
The SM2 digital signature means that for a public-private key pair [ d, P ] and a plaintext M, a signer holding a secret key d generates a digital string which cannot be forged by others, and other users can use the public key P and the plaintext M for verification. In the (t, n) threshold signature scheme, the secret key is shared as a share among n participants, any more than t participants can calculate the final signature, and any information about the private key and the sub-private keys of the participants is not disclosed in the scheme execution process.
Based on this, there is a threshold signature scheme based on the SM2 signature algorithm in the prior art. In the current threshold signature scheme based on the SM2 signature algorithm, in the distributed key generation stage, the secret inverse elements need to be shared, order doubling of the polynomial exists during the sharing of the secret inverse elements, n is not less than 2t, and 2t +1 participators can generate an effective digital signature.
Disclosure of Invention
In view of this, embodiments of the present invention provide a threshold signature method, apparatus, device and storage medium based on the SM2 signature algorithm, so that only n is greater than or equal to t, and only t participants are needed to generate an effective signature.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
the first aspect of the present application provides a threshold signature method based on an SM2 signature algorithm, including three stages of generating a distributed key, signing a plaintext to be signed, and verifying a signature, where sharing of a secret inverse element in the stage of generating the distributed key includes:
method for encrypting self temporary secret by homomorphic encryption public key of opposite partya i Cipher textE j (k j )And interference factor betai,jObtaining first encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secretk j Obtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method;
calculating the temporary secreta i And interference factor betai,jZero knowledge proof of (2);
sending the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data to the other party;
receiving a base value delta of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta i Random secretk i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data;
and calculating to obtain the inverse element of the shared secret by using the basic value of the shared secret of each participant.
Optionally, the signing plaintext to be signed includes:
method for homomorphic encryption by using homomorphic encryption public key of opposite party participant, encryption weight value wiCipher textE j (k j )And interference factor betai,jObtaining second encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting random secretsk j Obtaining; the weight value wiSharing shares s by secretiConverting to obtain; the counterparty participant refers to each participant in the signed set of participants;
calculating the weight value wiAnd interference factor betai,jZero knowledge proof of (2);
sending zero knowledge proof of the weight value and the interference factor and second encrypted data to the opposite party participant;
receiving a random secret transmitted by a counterpart participantk j The second commitment of (a);
after verifying the random secretk j When the second commitment is legal, obtaining the random secretk j Target value in the second commitmentk j G, using random secrets per participantk j Target value k in the second commitment ofjG, calculating to obtain a target value R, and calculating to obtain a first signature value R by using the target value R and an integer e corresponding to the plaintext M to be signed;
calculating to obtain the signature basic value s of the selfiAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secretk i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and combining the first signature value and the second signature value to obtain a final signature (r, s).
Optionally, the signing is performed before plaintext to be signed, and the method further includes generating a participant set participating in the signing, where the generating the participant set participating in the signing includes:
generating a homomorphic encryption public key and a homomorphic encryption private key pair, and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment being a random secret of itselfk i The commitment of (a);
receiving a first promise, a second promise and a homomorphic encryption public key broadcasted by the other party;
and if the first commitment broadcasted by the opposite party is verified to be the same as the first commitment of the opposite party, the opposite party is used as a participant participating in the signature and added into the participant set participating in the signature, and the homomorphic encryption public key and the second commitment of the opposite party are saved.
Optionally, the computing a public key and a share in the phase of generating a distributed key includes:
receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment Di
Checking the X-axis abscissa X of the other party's broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
if the random secret k is verified i If the second commitment is legal, then the random secret k is obtained i Target value k in the second commitment ofiG, and using a random secret k for each participant i In the second promise ofTo obtain a public key by calculation
Figure 641216DEST_PATH_IMAGE001
A polynomial execution result v on receiving the counterpart broadcast i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Product with the base point G of the elliptic curve;
if the target polynomial p is verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the share sh is calculatedi
Optionally, said performing the result v with a polynomial of each participant i,j And the t-1 order polynomial of the share sh is calculatediThen, the method further comprises the following steps:
computing the share shiAnd broadcast to the other party;
share sh on receiving each participant broadcastiWhen the zero knowledge of (1) proves, if the share of each participant is verified, shiIf the zero knowledge proves to be legal, the share sh of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
verifying whether a target equation is established, wherein the target equation is as follows:
Figure 823936DEST_PATH_IMAGE002
(ii) a In the formula, shiDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i a temporary secret referring to each participant;
and if the target equation is verified to be established, judging that the generation of the share and the public key is finished.
A second aspect of the present application provides a threshold signing apparatus based on SM2 signature algorithm, configured to perform three stages of generating a distributed key, signing a plaintext to be signed, and signing an encrypted text, where when the threshold signing apparatus generates a secret inverse element in the distributed key stage, the threshold signing apparatus includes:
a first encryption unit for encrypting the temporary secret of itself by homomorphic encryption method using the homomorphic encryption public key of the other partya i Cipher textE j (k j )And interference factor betai,jObtaining first encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secretk j Obtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method;
a first calculation unit for calculating the temporary secreta i And interference factor betai,jZero knowledge proof of (2);
a first transmitting unit, configured to transmit, to the other party, the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data;
a first receiving unit, configured to receive a basic value δ of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta i Random secretk i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data;
and the second calculation unit is used for calculating the inverse element of the shared secret by utilizing the basic value of the shared secret of each participant.
Optionally, when the threshold signature apparatus signs a plaintext to be signed, the method includes:
a second encryption unit for encrypting the weight value w by homomorphic encryption method using homomorphic encryption public key of opposite partyiCipher textE j (k j )And interference factor betai,jObtaining second encrypted data; wherein the ciphertextE j (k j )Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting random secretsk j Obtaining; the weight value wiSharing shares s by secretiConverting to obtain; the counterparty participant refers to each participant in the signed set of participants;
a third calculation unit for calculating the weight value wiAnd interference factor betai,jZero knowledge proof of (2);
a second sending unit, configured to send the zero-knowledge proof of the weight value and the interference factor, and second encrypted data to the opposite party participant;
a second receiving unit for receiving the random secret transmitted by the opposite partyk j The second commitment of (a);
a first processing unit for verifying the random secretk j When the second commitment is legal, obtaining the random secretk j Target value in the second commitmentk j G, using random secrets per participantk j Target value k in the second commitment ofjG, calculating to obtain a target value R, and calculating to obtain a first signature value by using the target value R and an integer e corresponding to the plaintext M to be signed;
a fourth calculating unit for calculating the signature basic value siAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secretSecret keyk i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and the combining unit is used for combining the first signature value and the second signature value to obtain a final signature (r, s).
Optionally, the method further comprises:
the generating unit is used for generating homomorphic encryption public key and private key pairs and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment being a random secret of itselfk i The commitment of (a);
a third receiving unit, configured to receive the first promise, the second promise, and a homomorphic encryption public key broadcast by the other party;
and the storage unit is used for verifying that the first commitment broadcasted by the other party is the same as the first commitment of the other party, adding the other party serving as a signing participant into the signing participant set, and storing the homomorphic encryption public key and the second commitment of the other party.
Optionally, the computing a public key and a share in the stage of generating the distributed key by the threshold signing apparatus includes:
a fourth receiving unit for receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment Di
A first verification unit for checking X-axis abscissa X of the counterpart broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
a second processing unit for verifying the random secret k i If the second commitment is legal, then the random secret k is obtained i Target value k in the second commitment ofiG, and using a random secret k for each participant i The target value in the second commitment is calculated to obtain the public key
Figure 72515DEST_PATH_IMAGE001
A second verification unit for verifying the polynomial execution result v broadcast by the other party when receiving the polynomial execution result v i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Product with the base point G of the elliptic curve;
a fifth calculation unit for calculating a target polynomial p if verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the share sh is calculatedi
Optionally, the method further comprises:
a sixth calculating unit, configured to calculate the share shiZero knowledge proof of (2);
a third transmitting unit for broadcasting to the counterpart;
an obtaining unit, configured to receive the share sh broadcasted by each participantiWhen the zero knowledge of (1) proves, if the share of each participant is verified, shiIf the zero knowledge proves to be legal, the share sh of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
a third verifying unit, configured to verify whether a target equation is satisfied, where the target equation is:
Figure 405407DEST_PATH_IMAGE002
(ii) a In the formula, shiDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i a temporary secret referring to each participant;
and the judging unit is used for judging that the generation of the share and the public key is finished if the target equation is verified to be established.
A third aspect of the present application provides a computer storage medium for storing a computer program, which when executed is specifically configured to implement the threshold signature method based on the SM2 signature algorithm in any one of the first aspects.
A fourth aspect of the present application provides an electronic device comprising a memory and a processor;
wherein the memory is for storing a computer program;
the processor is configured to execute the computer program, and in particular, to implement the threshold signature method based on the SM2 signature algorithm according to any one of the first aspect.
Based on the threshold signature method, the device, the equipment and the storage medium based on the SM2 signature algorithm, in a secret inverse element sharing link in a distributed secret key generation stage, a homomorphic encryption public key of an opposite side is used for encrypting a self temporary secret, a ciphertext and an interference factor to obtain first encrypted data, when the opposite side verifies that zero knowledge of the temporary secret and the interference factor proves to be legal, a homomorphic encryption private key of the self is used for decrypting a first interactive secret obtained by the first encrypted data, and after a basic value of the shared secret is obtained through calculation, a basic value of the shared secret of each participant is used for obtaining an inverse element of the shared secret through calculation; it can be seen that: by adopting a homomorphic encryption method, the inverse element of the shared secret is obtained through calculation, a polynomial does not need to be constructed, and the order doubling of the polynomial does not exist, so that in the (t, n) threshold, only the participant n of the threshold signature method based on the SM2 signature algorithm needs to be more than or equal to the participant t participating in the signature, and an effective digital signature can be generated without 2t +1 participants.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a timing diagram illustrating a secret inverse sharing method according to an embodiment of the present disclosure;
fig. 2 is a timing diagram illustrating a method for calculating public keys and share shares according to another embodiment of the present disclosure;
FIG. 3 is a timing diagram illustrating a method for generating a participant set participating in a signature according to another embodiment of the present application;
FIG. 4 is a timing diagram illustrating a method for computing a signature according to another embodiment of the present application;
fig. 5 is a structural diagram of a threshold signature apparatus based on the SM2 signature algorithm according to another embodiment of the present application;
fig. 6 is a structural diagram of a threshold signature apparatus based on the SM2 signature algorithm according to another embodiment of the present application;
fig. 7 is a block diagram of an electronic device according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the invention provides a threshold signature method, a device, equipment and a storage medium based on an SM2 signature algorithm, so that only n is greater than or equal to t, and only t participants are needed to generate effective signatures.
The threshold signature method based on the SM2 signature algorithm disclosed by the embodiment of the application mainly comprises three stages, specifically as follows:
1. distributed key generation
For a (t, n) threshold, n participants generate a public key P by interaction, each holding a secret share.
2. Signature
Among the n participants, t or more participants with secret shares calculate the plaintext M to be signed to obtain an unforgeable digital signature, and the public key P is used for signature verification.
3. Verification label
The public key P, the plaintext M and the digital signature are used to verify whether the signature is valid.
It should be noted that, in the stage of generating the distributed key, the distributed key may also be completed by being divided into three stages, mainly a preparation stage, a secure computation of the inverse element of k × a, and a computation of the public key and the share, which are respectively described below by embodiments.
Firstly, a preparation stage:
each participant (called U) i ) Each performing the following operations:
1) an SM2 national secret elliptic curve is selected, the base point is G, and the order is N.
2) Each using a secure random number to generate a random secretk i
Figure 148673DEST_PATH_IMAGE003
Calculate the respectivek i ·GAnd their hash commitments
Figure 439978DEST_PATH_IMAGE004
(ii) a Wherein: acceptance verification
Figure 910273DEST_PATH_IMAGE005
Promise of
Figure 578015DEST_PATH_IMAGE006
Acceptance verification DiMay be referred to as random secretsk i First commitment of, commitment CiMay be referred to as random secretsk i Second commitment of (2), verifying at commitment DiIn (1),datarefers tok i ·GsaltRefers torandsalt In order to add the salt at random,
Figure 715735DEST_PATH_IMAGE007
is binary merging.
3) Each using a secure random number to generate a temporary secreta i a i ∈[1,N-1]And calculating respective fixed points
Figure 177940DEST_PATH_IMAGE008
4) A homomorphic encrypted public-private key pair is generated (any algorithm that supports additive multiplicative homomorphism may be used).
5) Broadcast random secret k i Hash promise of C i Fixed point R i And homomorphic encryption public key P i
6) After each participant receives the other party broadcast message, it stores the random secret k i Hash promise of C i And a fixed point R i
And secondly, safely calculating the inverse element of k × a:
the method for sharing the secret inverse element disclosed by the embodiment of the application, as shown in fig. 1, includes the steps of:
s101, each participant (called U) j ) Make itEncrypting the public key P with its own homomorphism j For held random secret k j Encrypting to obtain a random secret k j Is encrypted by the encryption keyE j (k j )And broadcast to other participants U i
Each receiver U i Receive fromE j (k j )Then, the following steps are executed:
s102, generating a [0, N-1] by using a secure random number]As interference factor betai,jAnd calculate
Figure 666691DEST_PATH_IMAGE009
S103, using other participators UjIs encrypted with a public key PjTemporary secrets to itselfa i Cipher textE j (k j )And interference factor betai,jPerforming homomorphic encryption, and calculating to obtain first encrypted dataE(α i,j )
Wherein the first encrypted dataE(α i,j )The calculation formula of (2) is as follows:
Figure 341386DEST_PATH_IMAGE010
s104, calculating the temporary secret held by the usera i And interference factor betai,jZero knowledge proof of (a).
Wherein any supporting zero knowledge proof of knowledge algorithm may be used to computea i And betai,jZero knowledge proof of (a). The extended Schnorr non-interactive zero knowledge proof of knowledge protocol is described below as an example.
Computinga i And betai,jThe step of zero knowledge proof of (2) comprises:
①U i using self-held temporary secretsa iInterference factor betai,jAnd its own fixing point RiCalculating the value of VThe calculation formula is as follows:
Figure 333612DEST_PATH_IMAGE011
generating two random numbers m, n and calculating an alpha value:
Figure 232298DEST_PATH_IMAGE012
calculating
Figure 942765DEST_PATH_IMAGE013
And H is the agreed Hash algorithm, such as SM 3.
Fourthly, calculating
Figure 686730DEST_PATH_IMAGE014
Figure 799043DEST_PATH_IMAGE015
. N is the order of the SM2 elliptic curve.
The result (V, u, t, alpha) is the testable proof that the verifier can receive the fixed point R of the other party in the previous stepiAnd the certification is carried out to prove that the other party really holdsa i And betai,jAnd the actual value cannot be known.
S105, the first encrypted data is processedE(α i,j )And zero knowledge proof is returned to the other party.
Participant U j Receiving the first encrypted data sent back by the other partyE(α i,j )And zero proof of knowledge proof, performing the following steps:
and S106, verifying zero knowledge proof.
Take the extended Schnorr non-interactive zero knowledge proof as an example:
using the opposite side U obtained in the previous step i Fixed point R of i And received zero knowledge proof (V, u, t, alpha), calculating
Figure 603051DEST_PATH_IMAGE016
Calculating and checking whether the equation is true:
Figure 800814DEST_PATH_IMAGE017
(ii) a Wherein: g is the base point of the SM2 elliptic curve,. represents the elliptic curve point multiplication, and + represents the elliptic curve point addition.
S107, when verifying that the zero-knowledge proof is legal, decrypting the first encrypted data by using the homomorphic encryption private key of the user to obtain a first interaction secret alphai,jThe value of which is equal to:
Figure 345540DEST_PATH_IMAGE018
s108, after collecting the information of other participators, using the temporary secret of the participatorsa i Random secretk i Interference factor, and a first interaction secret alpha for each participanti,jCalculating a base value delta of a shared secreti(ii) a The calculation formula is as follows:
Figure 312359DEST_PATH_IMAGE019
and broadcast to other participants.
Each participant receives the base value delta of the shared secret of the other participantsiAfter the following steps are executed:
s109, calculating the shared secret
Figure 287269DEST_PATH_IMAGE020
Due to the fact that
Figure 706749DEST_PATH_IMAGE021
Figure 854833DEST_PATH_IMAGE022
Therefore:
Figure 676159DEST_PATH_IMAGE023
according to the additive exchange law, the following results are obtained:
Figure 821969DEST_PATH_IMAGE024
due to the fact that
Figure 728745DEST_PATH_IMAGE025
And zero after accumulation, it can be known that δ is the product of the shared secret a and k:
Figure 414942DEST_PATH_IMAGE026
s110, calculating an inverse element delta of the shared secret delta to the SM2 elliptic curve-1
From the above, it can be seen that: obtaining two secrets k distributed over the hands of n participantsiAnd aiThe secret product of (2) is shared inverse:
Figure 356353DEST_PATH_IMAGE027
it can further be seen that: for shared secrets
Figure 938644DEST_PATH_IMAGE028
And a temporary shared secret a
Figure 67137DEST_PATH_IMAGE029
Obtained by secure calculation
Figure 760286DEST_PATH_IMAGE030
. Known from the multiplicative allocation law:
Figure 556204DEST_PATH_IMAGE031
the inverse of δ is further computed so that the participants all hold the same inverse of the product of the shared secret a and the secret k.
According to the threshold signature method provided by the embodiment of the application, in a step of calculating the inverse element of k x a, namely a step of sharing the secret inverse element in a distributed secret key generation stage, a homomorphic encryption public key of an opposite side is used for encrypting a self temporary secret, a ciphertext and an interference factor to obtain first encrypted data, when the opposite side verifies that zero knowledge of the temporary secret and the interference factor proves to be legal, the homomorphic encryption private key of the opposite side is used for decrypting a first interactive secret obtained by the first encrypted data, and after the basic value of the obtained shared secret is calculated, the basic value of the shared secret of each participant is used for calculating to obtain the inverse element of the shared secret; it can be seen that: by adopting a homomorphic encryption method, the inverse element of the shared secret is obtained through calculation, a polynomial does not need to be constructed, and the order doubling of the polynomial does not exist, so that in the (t, n) threshold, only the participant n of the threshold signature method based on the SM2 signature algorithm needs to be more than or equal to the participant t participating in the signature, and an effective digital signature can be generated without 2t +1 participants. In addition, interference factors are introduced in the sharing link of the secret inverse elements, so that secret leakage can be effectively prevented.
Thirdly, calculating a public key and share:
a method for calculating a public key and a share disclosed in another embodiment of the present application, as shown in fig. 2, includes the steps of:
each participant U i The following steps are performed:
s201, generating a random numberx i As the respective X-axis abscissa, wherein,
Figure 43817DEST_PATH_IMAGE032
and requires that the value held by each participant not be the same.
S202, generating a t-1 order polynomial:
Figure 394027DEST_PATH_IMAGE033
using self-held temporary secretsa i And taking the product of the shared secret delta inverse as the shared secret shard:
Figure 890867DEST_PATH_IMAGE034
as a constant, coefficient
Figure 13063DEST_PATH_IMAGE035
And N is the order of the SM2 elliptic curve.
S203, calculating Hash promise { u ] of polynomial coefficientsi,j· G}。
S204, broadcasting the X-axis abscissa X owned by the self i Hash commitment of polynomial coefficients, random secret k i Validation of commitments
Figure 937157DEST_PATH_IMAGE005
Participant U j Receiving participant U i X axis abscissa X i Random secret k i Validation of commitmentsD i And performing the following steps after Hash commitment of the polynomial coefficients:
s205, checking participant U i Is repeated.
Wherein, if the X coordinate of the received counterpart is the same as that of the counterpart, the X-axis abscissa X broadcasted in step S204 is received again i Hash commitment of polynomial coefficients, random secret k i The commitment of (1). If the X coordinate of the received counterpart is not the same as that of the counterpart, the following steps are continuously executed:
s206, verifying the random secret kiSecond commitment C i When legal, obtain the random secret kiTarget value k in the second commitment of i ·G。
In particular, the Hash acceptance C received during the preparation phase is verified i If it is legal, then from the random secret kiValidation of commitments
Figure 40242DEST_PATH_IMAGE005
To obtain k i ·G。
S207, calculating a public key corresponding to the shared secret by using the target value of each participant
Figure 871932DEST_PATH_IMAGE001
Figure 642441DEST_PATH_IMAGE036
Thus, it can be seen that: the actual secret shared private key is (k-1).
S208, using the X coordinate X of the other side i Obtaining a polynomial execution result v by calculating with a self-held polynomiali,j = fj(xi) And sends back to the other party U i
Each participant U i Receiving the polynomial execution result v of the other party i,j Then, the following steps are executed:
s209, verifying the target polynomial pj(x) Is equal to the target result.
Specifically, the method comprises the following steps: constructing a target polynomial p using a counterpart polynomial coefficient commitment as a coefficientj(x) Then, the X coordinate parameter of the self-body is used for calculation, and whether the calculation result is equal to v or not is verifiedi,jG this target result. The target result is the polynomial execution result v of the other party i,j Product with the base point G of the elliptic curve.
S210, if the target polynomial p is verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the user calculates share:
Figure 471857DEST_PATH_IMAGE037
s211, share sh is calculated and broadcastediZero knowledge proof of (a).
Alternatively, sh may be calculated using the standard Schnorr non-interactive zero-knowledge proof of knowledge protocoliComprises the following steps:
calculating
Figure 327818DEST_PATH_IMAGE038
And secondly, generating two random numbers m, N, m and N which belong to [1, N-1], wherein N is the order of an SM2 elliptic curve.
Computing alpha = m · G + n · G.
Fourthly, calculating
Figure 900882DEST_PATH_IMAGE039
Fifthly, calculate
Figure 729160DEST_PATH_IMAGE040
T = n; n is the order of the SM2 elliptic curve.
Wherein: the result of the calculation (V, u, t, alpha) is a verifiable zero knowledge proof.
Each participant receives a share shiAfter zero knowledge proof the following steps are performed:
s212, verifying share shiZero knowledge proof of (2):
calculating
Figure 791794DEST_PATH_IMAGE041
Secondly, whether the equation is established is verified:
Figure 72734DEST_PATH_IMAGE042
(ii) a Where G is the base point of the SM2 elliptic curve, represents the elliptic curve point multiplication, and + represents the elliptic curve point addition.
S213, obtaining share sh of participantsiS of zero knowledge proofiG value, i.e. V value in the acquisition zero knowledge proof.
S214, verifying whether the target equation is satisfied:
Figure 511806DEST_PATH_IMAGE002
. In the formula, shiDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i refers to the temporal secret of each participant.
If the verification target equation is passed, step S215 is executed to determine that the generation of the share and the public key is completed.
Through the above interaction process, n participants each hold a public X abscissa and a Feldman verifiable secret share, and for a [ t, n ] threshold, t participant interactions can generate correct signatures.
For a public-private key pair of SM2 encryption algorithm: { d, P }, the actual shared secret is the inverse of (1+ d), thereby simplifying the process of subsequent multi-party signatures:
Figure 991328DEST_PATH_IMAGE043
the information of the shared secret cannot be revealed in the interaction process, and the safety of the interaction process is ensured by adopting Hash commitment and zero knowledge proof technology in the process.
The public key of the shared secret is:
Figure 631388DEST_PATH_IMAGE044
it should be further noted that steps S211 to S214 are selectively executable, and the shared share sh does not need to be verified through zero knowledge proofiIn this case, step S211 to step S214 may not need to be performed.
The following also describes the process of signing by way of example.
Firstly, a preparation stage:
in the preparation stage, a participant set with a participation signature can be constructed, wherein the participant set comprises participants with the participation signature, and specifically, the participant set with the participation signature is completed by finding t participants from n participants of a threshold signature method based on the SM2 signature algorithm.
In the generation method of the participant set participating in the signature, each participant of the n threshold signature methods based on the SM2 signature algorithm performs the following steps. Following to the participant U i And participant UjTo illustrate the interaction between, a collection of signed participantsIn the generation method of (1), each participant performs the following steps first, as shown in fig. 3, with the participant U i For the sake of example:
s301, converting the plaintext M to be signed into an integer
Figure 196362DEST_PATH_IMAGE045
Wherein: zA = H(ENTLA||IDA||a||b||xG||yG||xA||yA) According to SM2 elliptic curve public key cryptographic algorithm, coordinates x of elliptic curve equation parameters a, b and G are calculatedG、yGAnd PACoordinate x ofA、yAConverting the data type of (a) into a bit string; h is the hash algorithm, which for SM3WITHSM2 signature algorithm is SM 3.
S302, calculating a Hash promise of an integer e corresponding to the SM2 elliptic curve base point G, the public key P and the plaintext M to be signed, wherein the integer e is used as follows: hash (G | | e.P), this commitment is called the first commitment.
S303, selecting a random secret key
Figure 373878DEST_PATH_IMAGE046
And calculates its Hash promise Hash (k)iG), this commitment is referred to as the second commitment.
S304, generating a homomorphic encrypted public and private key pair; wherein the homomorphic encryption public key is Pi
S305, broadcasting the first promise, the second promise and the homomorphic encryption public key Pi
Wherein, participant U i The first commitment, the second commitment, and the homomorphic cryptographic public key P are broadcast to the respective participants.
S306, each party receives the first promise, the second promise and the homomorphic encryption public key PiThen, it is verified whether the first commitment Hash (G | | e · P) is the same as the first commitment owned by oneself.
Wherein, participant UjWill receive the first promise, the second promise and the homomorphic encryption public key PiAnd after receiving, verifies the first of itselfWhether the commitment is identical to the received first commitment, and performing the following steps.
If the verification is the same, the opposite party is proved to be a legal signature participant, and the same public key P and the integer e corresponding to the plaintext M to be signed are held, and S307 and S308 are executed.
And S307, recording the legal signature participant in the participant set | S | participating in the signature.
S308, storing the homomorphic encryption public key P broadcasted by the other partyiAnd a random key kiFor standby, i.e. holding a homomorphic cryptographic public key PiAnd a second commitment.
It should be noted that, when the participant set | S | ≧ t participating in the signature is confirmed, the joint signature calculation is started.
Second, converting the share weight:
for a polynomial of order t-1
Figure 973486DEST_PATH_IMAGE047
When t non-coincident points or more are known, the solution can be obtained.
According to the Lagrange interpolation method, an interpolation function polynomial L with the degree not exceeding t can be constructedn(x) So that
Figure 581185DEST_PATH_IMAGE048
It holds, its lagrange interpolation formula:
Figure 633455DEST_PATH_IMAGE049
therefore, for a set | S | of participants equal to or greater than t participants who participate in a signature, the x coordinate value of each participant is known, and the held secret share S can be shared by using the lagrange interpolation formulaiConversion to weights
Figure 86433DEST_PATH_IMAGE050
Such that the shared secret f (0) satisfies:
Figure 806127DEST_PATH_IMAGE051
it should be noted that, the method for solving the polynomial of the order t-1 uses lagrangian coefficient matrix transformation to transform the held secret share and the X abscissa of the participant into the respective holding weight w without revealing the secretiAnd w isiIs equal to the shared secret, subsequent computations may be facilitated.
Thirdly, calculating a signature:
the t participants in the participant set participating in the signature constructed by the above embodiment mutually interact to complete the signature of the plaintext to be signed. Also, with participant U i And participant UjThe following steps are performed for t participants in the signed participant set, as shown in fig. 4, by participant UjFor illustration purposes.
S401, participant UjUsing a homomorphic cryptographic public key P j For held random secret k j Encryption to obtain a random secret k j Ciphertext E ofj(kj) And broadcast to other participants.
Each participant receives a participant UjBroadcast cipher text Ej(kj) Thereafter, the following steps are performed, also referred to as participant U below i For illustration purposes.
S402, participant U i Receiving the secret text E encrypted by the other partyj(kj) Then, a random interference factor beta is generatedi,jAnd calculating beta' = -betai,j
S403, utilizing the participant UjThe homomorphic encryption public key is used for homomorphic encryption, and the encryption weight value wiCipher text Ej(kj) And interference factor betai,jAnd obtaining second encrypted data.
Wherein the public representation of the second encrypted data is:
Figure 584727DEST_PATH_IMAGE052
s404, calculating a weight value wiAnd interference factor betai,jZero knowledge proof of (a).
Wherein any supporting zero knowledge proof of knowledge algorithm may be used to calculate the weight values wiAnd interference factor betai,jZero knowledge proof of (a). The following description also takes the extended Schnorr non-interactive zero knowledge proof of knowledge protocol as an example.
Calculating a weight value wiAnd interference factor betai,jThe step of zero knowledge proof of (1), comprising:
①U i using self-held weight values wi、Interference factor betai,jAnd its own fixing point RiAnd calculating the V value by the following formula:
Figure 124293DEST_PATH_IMAGE053
generating two random numbers m, n and calculating an alpha value:
Figure 646541DEST_PATH_IMAGE012
calculating
Figure 689584DEST_PATH_IMAGE013
And H is the agreed Hash algorithm, such as SM 3.
Fourthly, calculating
Figure 639085DEST_PATH_IMAGE014
Figure 197105DEST_PATH_IMAGE015
. N is the order of the SM2 elliptic curve.
Fifthly, the result (V, u, t, alpha) is the proof of verifiability.
S405, sending second encrypted data E (alpha)i,j) And a weight value wiAnd interference factor betai,jIs proved to the other party.
Participant UjAfter receiving the message, executing the following steps:
s406, participant UjAfter receiving the message, verifying the weight value wiAnd interference factor betai,jZero knowledge proof of (a).
S407, if the verification of the zero knowledge proof is passed, decrypting the second encrypted data E (alpha) by using the homomorphic encryption private key held by the useri,j) Obtaining a second interaction secret
Figure 523045DEST_PATH_IMAGE054
S408, from the weight value wiAnd interference factor betai,jIn the zero knowledge proof, the participant U is obtained i W ofiThe value of G.
S409, after collecting the information of each participant, utilizing the weight value w of each participantiRandom secretk i Interference factor betai,jAnd a second interaction secret alpha for each participanti,jCalculating to obtain a basic value deltai
Figure 420593DEST_PATH_IMAGE055
S410, broadcasting the random secret kjThe second commitment of (i.e., k)jG promise.
Participant U i Receive kjAfter commitment of G, the following steps are performed:
s411, receiving kjG promise, verification kjWhen the commitment of G is legal, from kjG commitment to take out the target value in the commitment, i.e. kjG, and using a random secret k for each participantjK in the second commitment of (1)jG value, calculated to obtain the target value
Figure 337734DEST_PATH_IMAGE056
S412, calculating by using the target value R and the integer e corresponding to the plaintext M to be signed to obtain a first signature value R, wherein the calculation formula is as follows: r = Rx + e mod N. N is the order of the SM2 elliptic curve.
S413, calculating the signature basic value of the user
Figure 851892DEST_PATH_IMAGE057
And broadcasts the signature base value.
S414, collecting the S of other participants participating in signatureiThereafter, the signature base value s of each participant is utilizediAnd a first signature value r, which is calculated to obtain a second signature value s, s
Figure 715943DEST_PATH_IMAGE058
And S415, combining the first signature value and the second signature value to obtain a final signature (r, S).
It should be noted that, in the threshold signature scheme based on the SM2 signature algorithm in the prior art, in the signature stage, the secret product needs to be shared, and a polynomial also needs to be constructed, so that the order of the polynomial is doubled, n is greater than or equal to 2t, and 2t +1 participators can generate an effective digital signature.
In the threshold signature method provided by the embodiment of the application, in the signature link, the weight value, the ciphertext and the interference factor are encrypted by using a homomorphic encryption public key of the opposite party in a homomorphic encryption method to obtain second encrypted data, and zero knowledge proof of the weight value and the interference factor is calculated; when receiving a second commitment of the random secret sent by a participant of the other party and verifying that the second commitment of the random secret is legal, acquiring a target value in the second commitment of the random secret, calculating by using the target value in the second commitment of the random secret of each participant to obtain a target value, and calculating by using the target value and an integer corresponding to a plaintext to be signed to obtain a first signature value; when the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, decrypting second encrypted data by using a homomorphic encryption private key of the opposite party to obtain a second interaction secret, calculating by using the weight value, the random secret, the interference factor and the second interaction secret of each party to obtain a basic value, and calculating by using the basic value, the weight value and the first signature value to obtain a signature basic value; calculating to obtain a second signature value by using the signature basic value and the first signature value of each participant; the first signature value and the second signature value are combined to obtain the final signature. It can thus be seen that: in the signing link, a homomorphic encryption method is used, namely, the signature of a plaintext to be signed does not need to construct a polynomial, and the order doubling of the polynomial does not exist, so that in the (t, n) threshold, the participator n of the threshold signing method based on the SM2 signature algorithm is further ensured to be only required to be more than or equal to the participator t participating in the signature, and 2t +1 participators are not required to generate an effective digital signature.
It should also be noted that, as long as the participants of the threshold signature method based on the SM2 signature algorithm perform encryption and decryption once in the sharing link of the secret inverse element and perform encryption and decryption once in the signing link, no complex algorithm is needed, the performance can be greatly improved, and in the interaction process between the participants, no full-text format of the secret key exists, thereby ensuring the security.
Signature verification
Because the signature (r, s) obtained by signing the plaintext M to be signed by adopting the signature method disclosed by the embodiment completely conforms to the SM2 algorithm specification of the national secret, the signature verification calculation can be carried out by using the public key, the digital signature and the signature content directly according to the specification of GM/T0003.2 (SM 2 elliptic curve public key cryptographic algorithm part 2-digital signature algorithm). The brief steps of the signature verification are as follows:
after receiving the signature (r, s) and the plaintext M to be signed:
1) according to the specification of GM/T0003.2 part 2 digital signature algorithm of SM2 elliptic curve public key cryptographic algorithm, the plaintext M to be signed is converted into an integer
Figure 358013DEST_PATH_IMAGE045
Wherein: zA = H(ENTLA||IDA||a||b||xG||yG||xA||yA) The coordinates x of the parameters a, b and G of the elliptic curve equationG、yGAnd coordinate x of PAA、yAConverting the data type of (a) into a bit string; h is the hash algorithm, which is SM3 for the SM3WITHSM2 signature algorithm; and M is data to be checked.
2) It is calculated whether the following formula holds.
The formula is as follows:
Figure 914896DEST_PATH_IMAGE059
wherein: g is the base point of the SM2 elliptic curve, and P is the public key.
3) Judging whether the equation is established: (x' + e) is equal to r in the signature.
Compared with the prior art, the threshold signature method based on the SM2 signature algorithm provided by the embodiment of the application is greatly improved in execution efficiency, and the practicability of the threshold signature method is improved. The following may be compared from two dimensions of network interaction and computational effort.
Network interaction: the complexity of network interaction can be divided into interaction times and data volume, the network interaction times represent the network complexity of the algorithm, and the interactive data volume represents the occupation of network bandwidth resources. Calculation amount: and evaluating the computational complexity of the algorithm and the use efficiency of computational resources.
The comparison of network interaction complexity is shown in the following table:
Figure 8360DEST_PATH_IMAGE060
in order to evaluate the calculation efficiency of the algorithm more carefully, the threshold signature scheme provided by the application firstly carries out benchmark performance evaluation on key operations, and in order to ensure comparability, homomorphic encryption selects the same algorithm, namely a Paillier algorithm:
Figure 676102DEST_PATH_IMAGE062
from benchmark tests it can be seen that homomorphic encryption is very resource consuming.
Comparison of calculated quantity evaluations is shown in the following table:
Figure 751506DEST_PATH_IMAGE063
another embodiment of the present application further discloses a threshold signing apparatus based on SM2 signature algorithm, configured to perform three stages of generating a distributed key, signing a plaintext to be signed, and signing an encrypted text, where when the threshold signing apparatus generates a secret inverse element in the distributed key stage, as shown in fig. 5, the threshold signing apparatus includes:
a first encryption unit 501, configured to encrypt a temporary secret, a ciphertext, and an interference factor of an own by using a homomorphic encryption public key of an opposite party in a homomorphic encryption method to obtain first encrypted data; wherein the cipher text is encrypted by the opposite party with the homomorphic encryption public key to obtain the random secret of the opposite partyk j Obtaining; each participant in the n participants of the threshold signature method based on the SM2 signature algorithm is referred by a counterpart;
a first calculation unit 502 for calculating a zero-knowledge proof of the temporary secret and the interference factor;
a first sending unit 503, configured to send the temporary secret and the zero-knowledge proof of the interference factor, and the first encrypted data to the other party;
a first receiving unit 504, configured to receive a basic value of the shared secret sent by the other party; the basic value of the shared secret is calculated by the other party by using the own temporary secret, random secret, interference factor and the first interaction secret of each participant; when the first interactive secret is proved to be legal by the other party through verifying the temporary secret and zero knowledge of the interference factor, decrypting the first encrypted data by using the homomorphic encryption private key of the first interactive secret;
and a second calculating unit 505, configured to calculate an inverse element of the shared secret by using the basic value of the shared secret of each participant.
For a specific working process of the units disclosed in the embodiments of the present application, reference may be made to the contents of the embodiment corresponding to fig. 1, which are not described herein again.
Optionally, in another embodiment of the present application, when the threshold signing apparatus signs a plaintext to be signed, the method includes:
the second encryption unit is used for encrypting the weighted value, the ciphertext and the interference factor by using a homomorphic encryption public key of the opposite party participant in a homomorphic encryption method to obtain second encrypted data; the ciphertext is obtained by encrypting a random secret by using a homomorphic encryption public key by an opposite party participant; the weight value is obtained by converting the secret share; a counterpart participant refers to each participant in the signed set of participants;
the third calculation unit is used for calculating zero knowledge proof of the weight value and the interference factor;
the second sending unit is used for sending zero knowledge proof of the weight value and the interference factor and second encrypted data to the opposite party;
a second receiving unit, configured to receive a second commitment of the random secret sent by the opposite party;
the first processing unit is used for acquiring a target value in the second commitment of the random secret when the second commitment of the random secret is verified to be legal, calculating the target value by using the target value in the second commitment of the random secret of each participant, and calculating a first signature value by using the target value and an integer corresponding to a plaintext to be signed;
the fourth calculation unit is used for calculating to obtain a signature basic value of the fourth calculation unit, and calculating to obtain a second signature value by using the signature basic value of each participant and the first signature value; wherein the signature base value siCalculating by using the basic value, the weight value and the first signature value; the basic value is obtained by calculating the weight value of the basic value, the random secret, the interference factor and the second interaction secret of each participant; when the second interaction secret is obtained by verifying that the zero knowledge proof of the weight value and the interference factor is legal, the opposite party participant decrypts the second encrypted data by using a homomorphic encryption private key of the opposite party participant;
and the combining unit is used for combining the first signature value and the second signature value to obtain the final signature.
For a specific working process of the unit disclosed in the embodiment of the present application, reference may be made to the content of the embodiment corresponding to fig. 4, which is not described herein again.
Optionally, in another embodiment of the present application, as shown in fig. 6, the threshold signature apparatus based on the SM2 signature algorithm further includes, in addition to the first encryption unit 601, the first calculation unit 602, the first sending unit 603, the first receiving unit 604, and the second calculation unit 605:
a generating unit 606, configured to generate a homomorphic encryption public key and a private key pair, and calculate to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer corresponding to an elliptic curve base point, a public key and a plaintext to be signed; the second commitment is a commitment to a random secret of itself.
A third receiving unit 607, configured to receive the first commitment, the second commitment, and the homomorphic encryption public key broadcasted by the other party.
A saving unit 608, configured to verify that the first commitment broadcasted by the other party is the same as the first commitment of the other party, add the other party as a participant participating in the signature into the participant set participating in the signature, and save the homomorphic encrypted public key and the second commitment of the other party.
The specific working process of the generating unit 606, the third receiving unit 607 and the saving unit 608, which cooperate to generate the participant set participating in the signature, may refer to the content corresponding to the embodiment of fig. 3, and is not described herein again.
Optionally, in another embodiment of the present application, the computing a public key and a share in the phase of generating the distributed key by the threshold signature apparatus includes:
and a fourth receiving unit for receiving the X-axis abscissa, the commitment of the polynomial coefficient, and the first commitment of the random secret broadcast by the other party.
And the first verification unit is used for verifying whether the second commitment of the random secret of the opposite party is legal or not when the X-axis abscissa broadcasted by the opposite party is not repeated.
And the second processing unit is used for acquiring a target value in the second commitment of the random secret if the second commitment of the random secret is verified to be legal, and calculating to obtain a public key by using the target value in the second commitment of the random secret of each participant.
A second verification unit configured to verify whether a calculation result of a target polynomial is equal to a target result when receiving a polynomial execution result broadcast by the other party; the target polynomial is constructed by using the coefficient commitment of the opposite side polynomial as a coefficient, and the target result is the product of the polynomial execution result of the opposite side and an elliptic curve base point.
And the fifth calculating unit is used for calculating the share by using the polynomial execution result of each participant and the t-1 order polynomial of the participant if the calculation result of the target polynomial is verified to be equal to the target result.
Optionally, in another embodiment of the present application, the threshold signature apparatus based on the SM2 signature algorithm further includes:
and the sixth calculating unit is used for calculating the zero knowledge proof of the share.
And a third transmitting unit for broadcasting to the counterpart.
The acquisition unit is used for acquiring a characteristic value of the zero knowledge proof of the share of each participant if the zero knowledge proof of the share of each participant is verified to be legal when the zero knowledge proof of the share of each participant is received.
A third verifying unit, configured to verify whether a target equation is satisfied, where the target equation is:
Figure 948132DEST_PATH_IMAGE002
(ii) a In the formula, shiDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a i refers to the temporal secret of each participant.
And the judging unit is used for judging that the generation of the share and the public key is finished if the verification target equation is established.
For the specific working processes of the units provided in the above two embodiments, reference may be made to the content of the embodiment shown in fig. 2, which is not described herein again.
Another embodiment of the present application provides an electronic device, as shown in fig. 7, including:
one or more processors 701.
A memory 702 having one or more programs stored thereon.
The one or more programs, when executed by the one or more processors 701, cause the one or more processors 701 to implement a method as in any of the above embodiments.
Another embodiment of the present application provides a computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method as described in any of the above embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (12)

1. A threshold signature method based on SM2 signature algorithm is characterized by comprising three stages of generating a distributed secret key, signing a plaintext to be signed and verifying a signature, wherein the sharing of secret inverse elements in the stage of generating the distributed secret key comprises the following steps:
method for encrypting self temporary secret by homomorphic encryption public key of opposite partya iCipher textE j (k j ) And interference factor betai,jObtaining first encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secret kjObtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method; i. j represents different participants, and the value range of i and j is 1-n; k is a radical ofjIndicating a participant UjHolding the generated random secret;
calculating the temporary secreta iAnd interference factor betai,jZero knowledge proof of (2);
sending the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data to the other party;
receiving a base value delta of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta iRandom secret kiAn interference factor,First interaction secret alpha with each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data; k is a radical ofiIndicating a participant UiHolding the generated random secret;
and calculating to obtain the inverse element of the shared secret by using the basic value of the shared secret of each participant.
2. The threshold signature method of claim 1, wherein said signing plaintext to be signed comprises:
method for homomorphic encryption by using homomorphic encryption public key of opposite party participant, encryption weight value wiCipher textE j (k j ) And interference factor betai,jObtaining second encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting a random secret kjObtaining; the weight value wiSharing shares s by secretiConverting to obtain; the opposite party participant refers to each participant in a participant set which is screened out from n participants of a threshold signature method based on an SM2 signature algorithm;
calculating the weight value wiAnd interference factor betai,jZero knowledge proof of (2);
sending zero knowledge proof of the weight value and the interference factor and second encrypted data to the opposite party participant;
receiving a random secret k sent by a counterpart participantjThe second commitment of (a);
after verifying the random secret kjWhen the second commitment is legal, obtaining the random secret kjTarget value k in the second commitment ofjG, using a random secret k for each participantjTarget value k in the second commitment ofjG, calculating to obtain a target value R, and reusing the target value R and the waiting timeCalculating an integer e corresponding to the signature plaintext M to obtain a first signature value r; g denotes a base point of the elliptic curve;
calculating to obtain the signature basic value s of the selfiAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secret kiInterference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and combining the first signature value and the second signature value to obtain a final signature.
3. The threshold signature method of claim 2, wherein the signature is preceded by a plaintext to be signed, and further comprising generating a set of participants who participate in the signature, wherein the generating the set of participants who participate in the signature comprises:
generating a homomorphic encryption public key and a homomorphic encryption private key pair, and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment is a random secret k of the second commitmentiThe commitment of (a);
receiving a first promise, a second promise and a homomorphic encryption public key broadcasted by the other party;
and if the first commitment broadcasted by the opposite party is verified to be the same as the first commitment of the opposite party, the opposite party is used as a participant participating in the signature and added into the participant set participating in the signature, and the homomorphic encryption public key and the second commitment of the opposite party are saved.
4. The threshold signature method of claim 1, wherein the computing public keys and share shares in the phase of generating the distributed key comprises:
receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment Di
Checking the X-axis abscissa X of the other party's broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
if the random secret k is verified i If the second commitment is legal, then the random secret k is obtained i Target value k in the second commitment ofiG, and using a random secret k for each participant i The target value in the second commitment is calculated to obtain the public key
Figure 954890DEST_PATH_IMAGE001
A polynomial execution result v on receiving the counterpart broadcast i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution result v of the opposite party i,j Product with the base point G of the elliptic curve;
if the target polynomial p is verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the share sh is calculatedi
5. Threshold signature method as claimed in claim 4, characterized in that said execution of the result v with a polynomial of each participant is performed i,j And the t-1 order polynomial of the share sh is calculatediThen, the method further comprises the following steps:
computing the share shiAnd broadcast to the other party;
share sh on receiving each participant broadcastiWhen the zero knowledge of (1) proves, if the share of each participant is verified, shiIf the zero knowledge proves to be legal, the share sh of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
verifying whether a target equation is established, wherein the target equation is as follows:
Figure 128383DEST_PATH_IMAGE002
(ii) a In the formula, shiDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a ia temporary secret referring to each participant;
and if the target equation is verified to be established, judging that the generation of the share and the public key is finished.
6. A threshold signature device based on SM2 signature algorithm is characterized in that the device is used for executing three stages of generating a distributed key, signing a plaintext to be signed and verifying a signature, wherein when the threshold signature device generates a share of a secret inverse element in the distributed key stage, the device comprises:
a first encryption unit for encrypting the temporary secret of itself by homomorphic encryption method using the homomorphic encryption public key of the other partya iCipher textE j (k j ) And interference factor betai,jObtaining first encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic encryption public key P by the opposite party j Encrypting its own random secret kjObtaining; the counterpart refers to each of the n participants of the SM2 signature algorithm based threshold signature method; i. j represents different participants, and the value range of i and j is 1-n; k is a radical ofjIndicating a participant UjHolding the generated random secret;
a first calculation unit for calculating the temporary secreta iAnd interference factor betai,jZero knowledge proof of (2);
a first transmitting unit, configured to transmit, to the other party, the temporary secret and a zero-knowledge proof of an interference factor, and the first encrypted data;
a first receiving unit, configured to receive a basic value δ of the shared secret sent by the other partyi(ii) a Wherein the base value of the shared secret is used by the partner with its own temporary secreta iRandom secret k i Interference factor, and a first interaction secret alpha for each participanti,jCalculating to obtain; wherein the first interaction secret ai,jWhen the other party verifies that the zero knowledge proof of the temporary secret and the interference factor is legal, decrypting the first encrypted data by using a homomorphic encryption private key of the other party to obtain the first encrypted data; k is a radical ofiIndicating a participant UiHolding the generated random secret;
and the second calculation unit is used for calculating the inverse element of the shared secret by using the basic value of the shared secret of each participant.
7. The threshold signature apparatus of claim 6, wherein the threshold signature apparatus, when signing a plaintext to be signed, comprises:
a second encryption unit for encrypting the weight value w by homomorphic encryption method using homomorphic encryption public key of opposite partyiCipher textE j (k j ) And interference factor betai,jObtaining second encrypted data; wherein the ciphertextE j (k j ) Use of a homomorphic cryptographic public key P by a counterpart participant j Encrypting a random secret kjObtaining; the weight value wiSharing shares s by secretiConverting to obtain; the opposite party participant refers to each participant in a participant set which is screened out from n participants of a threshold signature method based on an SM2 signature algorithm;
a third calculation unit for calculating the weight value wiAnd interference factor betai,jZero knowledge proof of (2);
a second sending unit, configured to send the zero-knowledge proof of the weight value and the interference factor, and second encrypted data to the opposite party participant;
a second receiving unit for receiving the random secret k sent by the opposite partyjThe second commitment of (a);
a first processing unit for verifying the random secret kjWhen the second commitment is legal, obtaining the random secret kjTarget value k in the second commitment ofjG, using a random secret k for each participantjTarget value k in the second commitment ofjG, calculating to obtain a target value R, and calculating to obtain a first signature value by using the target value R and an integer e corresponding to the plaintext M to be signed; g denotes a base point of the elliptic curve;
a fourth calculating unit for calculating the signature basic value siAnd using the signature base value s of each participantiThe first signature value r is calculated to obtain a second signature value s; wherein the signature base value siUsing the base value deltaiWeight value wiAnd the first signature value r is obtained by calculation; the base value deltaiUsing its own weight value wiRandom secret k i Interference factor and second interaction secret alpha of each participanti,jCalculating to obtain; the second interaction secret ai,jWhen the opposite party verifies that the zero knowledge proof of the weight value and the interference factor is legal, the second encrypted data is decrypted by using a homomorphic encryption private key of the opposite party to obtain the second encrypted data;
and the combining unit is used for combining the first signature value and the second signature value to obtain a final signature.
8. The threshold signature apparatus of claim 7, further comprising:
the generating unit is used for generating homomorphic encryption public key and private key pairs and calculating to obtain a first commitment and a second commitment; the first commitment is a commitment of an integer e corresponding to an elliptic curve base point G, a public key P and a plaintext M to be signed; the second commitment is a random secret of the second commitmentCipher key i The commitment of (a);
a third receiving unit, configured to receive the first promise, the second promise, and a homomorphic encryption public key broadcast by the other party;
and the storage unit is used for verifying that the first commitment broadcasted by the other party is the same as the first commitment of the other party, adding the other party serving as a signing participant into the signing participant set, and storing the homomorphic encryption public key and the second commitment of the other party.
9. The threshold signature apparatus of claim 6, wherein the threshold signature apparatus generates the public key and the share in the distributed key generation stage, and comprises:
a fourth receiving unit for receiving X-axis abscissa X of the counterpart broadcast i Commitment of polynomial coefficients, and random secret k i First commitment Di
A first verification unit for checking X-axis abscissa X of the counterpart broadcast i Verifying the random secret k of the other party when not repeated i Second commitment C i Whether it is legal;
a second processing unit for verifying the random secret k i If the second commitment is legal, then the random secret k is obtained i Target value k in the second commitment ofiG, and using a random secret k for each participant i The target value in the second commitment is calculated to obtain the public key
Figure 466960DEST_PATH_IMAGE001
A second verification unit for verifying the polynomial execution result v broadcast by the other party when receiving the polynomial execution result v i,j While, verifying the target polynomial pj(x) Whether the calculated result of (a) is equal to the target result; wherein the target polynomial pj(x) The target result is the polynomial execution node of the opposite partyFruit v i,j Product with the base point G of the elliptic curve;
a fifth calculation unit for calculating a target polynomial p if verifiedj(x) Is equal to the target result, the result v is executed using the polynomial of each participant i,j And the t-1 order polynomial of the share sh is calculatedi
10. The threshold signature apparatus of claim 9, further comprising:
a sixth calculating unit, configured to calculate the share shiZero knowledge proof of (2);
a third transmitting unit for broadcasting to the counterpart;
an obtaining unit, configured to receive the share sh broadcasted by each participantiWhen the zero knowledge of (1) proves, if the share of each participant is verified, shiIf the zero knowledge proves to be legal, the share sh of each participant is obtainediCharacteristic values of zero knowledge proof of (1);
a third verifying unit, configured to verify whether a target equation is satisfied, where the target equation is:
Figure 700495DEST_PATH_IMAGE002
(ii) a In the formula, shiDenotes share per participant, G denotes base point of elliptic curve, delta-1Refers to the inverse of the shared secret,a ia temporary secret referring to each participant;
and the judging unit is used for judging that the generation of the share and the public key is finished if the target equation is verified to be established.
11. A computer storage medium for storing a computer program, which, when being executed by a processor, is particularly adapted to carry out the threshold signature method based on the SM2 signature algorithm according to any one of claims 1 to 5.
12. An electronic device comprising a memory and a processor;
wherein the memory is for storing a computer program;
the processor is configured to execute the computer program, in particular to implement the threshold signature method based on the SM2 signature algorithm according to any one of claims 1 to 5.
CN202110748702.8A 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium Active CN113507374B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110748702.8A CN113507374B (en) 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110748702.8A CN113507374B (en) 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113507374A CN113507374A (en) 2021-10-15
CN113507374B true CN113507374B (en) 2021-11-30

Family

ID=78009869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110748702.8A Active CN113507374B (en) 2021-07-02 2021-07-02 Threshold signature method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113507374B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070556B (en) * 2021-11-15 2023-07-25 成都卫士通信息产业股份有限公司 Threshold ring signature method and device, electronic equipment and readable storage medium
CN114157427B (en) * 2021-12-02 2023-06-20 南京邮电大学 SM2 digital signature-based threshold signature method
CN114444069B (en) * 2021-12-17 2023-04-07 中国科学院信息工程研究所 Efficient threshold safety multi-party calculation method under malicious model
CN115412260B (en) * 2022-08-30 2023-10-20 云海链控股股份有限公司 SM2 threshold signature method, system, device and computer readable storage medium
CN115580401B (en) * 2022-10-25 2023-12-22 商密(广州)信息科技有限公司 Certificateless SM2 key generation method based on verifiable secret sharing
CN116132049B (en) * 2023-01-04 2023-09-08 声龙(新加坡)私人有限公司 Data encryption method, device, equipment and storage medium
CN117155584B (en) * 2023-10-27 2024-01-26 北京信安世纪科技股份有限公司 Schnorr digital signature method, system and equipment
CN117278213B (en) * 2023-10-31 2024-02-09 杭州趣链科技有限公司 Polynomial commitment based method, electronic device and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547212A (en) * 2018-12-04 2019-03-29 中国电子科技集团公司第三十研究所 A kind of Threshold Signature method based on SM2 signature algorithm
US10630477B1 (en) * 2018-12-27 2020-04-21 Blue Helix Efficient threshold distributed elliptic curve key generation and signature method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110061828B (en) * 2019-04-04 2021-05-04 西安电子科技大学 Distributed digital signature method without trusted center

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547212A (en) * 2018-12-04 2019-03-29 中国电子科技集团公司第三十研究所 A kind of Threshold Signature method based on SM2 signature algorithm
US10630477B1 (en) * 2018-12-27 2020-04-21 Blue Helix Efficient threshold distributed elliptic curve key generation and signature method and system

Also Published As

Publication number Publication date
CN113507374A (en) 2021-10-15

Similar Documents

Publication Publication Date Title
CN113507374B (en) Threshold signature method, device, equipment and storage medium
CN108667625B (en) Digital signature method of cooperative SM2
CN107634836B (en) SM2 digital signature generation method and system
Zhou et al. ExpSOS: Secure and verifiable outsourcing of exponentiation operations for mobile cloud computing
CN110999209B (en) Apparatus, method and non-transitory computer readable medium for communication
CN112906030B (en) Data sharing method and system based on multi-party homomorphic encryption
CN110011795B (en) Symmetric group key negotiation method based on block chain
CN109309569A (en) The method, apparatus and storage medium of collaboration signature based on SM2 algorithm
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
CN107248909A (en) It is a kind of based on SM2 algorithms without Credential-Security endorsement method
CN110087237A (en) Method for secret protection, device and associated component based on disturbance of data
CN104754570B (en) Key distribution and reconstruction method and device based on mobile internet
CN110011803A (en) A kind of method that two side of lightweight SM2 cooperates with generation digital signature
CN115396115B (en) Block chain data privacy protection method, device, equipment and readable storage medium
CN115834056A (en) Certificateless ordered aggregation signature method, certificateless ordered aggregation signature system and related devices
Li et al. Cryptographic algorithms for privacy-preserving online applications.
CN117220891A (en) Threshold ECDSA signature method and system based on non-interactive distributed key
Liu et al. Secure and efficient two-party collaborative SM9 signature scheme suitable for smart home
CN108964906B (en) Digital signature method for cooperation with ECC
CN111669275A (en) Master-slave cooperative signature method capable of selecting slave nodes in wireless network environment
Zhang et al. Privacy‐friendly weighted‐reputation aggregation protocols against malicious adversaries in cloud services
CN114915402A (en) Verifiable privacy recommendation system based on secure multi-party computing
Badsha et al. Private recommendations generation for vertically partitioned datasets
CN112667995A (en) Restricted Paillier encryption system and application method thereof in key distribution and identity authentication
CN114337994A (en) Data processing method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant